The Register is reporting that a security flaw has been found in Safari’s AutoFill feature that has the potential to allow a malicious website to pull users’ personal information from their Address Book. The security expert who found the flaw, Jeremiah Grossman, posted on his blog the details of the vulnerability, and offers a proof […]
" />

Safari AutoFill Security Flaw Found, Grants Access to Personal Information

The Register is reporting that a security flaw has been found in Safari’s AutoFill feature that has the potential to allow a malicious website to pull users’ personal information from their Address Book. The security expert who found the flaw, Jeremiah Grossman, posted on his blog the details of the vulnerability, and offers a proof of concept webpage that allows users to see if they are at risk of attack.

To my understanding, this exploit uses Safari’s ability to grab data from Address Book (AutoFill), and since Address Book does not encrypt data, information can easily be grabbed.

All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript. When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.

Oddly, fields that begin with numbers, such as phone numbers and street addresses are not vulnerable, however things such as names, city, state, and so on, can be accessed.

Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it’s not exploit code designed to deliver rootkit payload. In fact, there is no guarantee this has not already taken place. What is safe to say is that this vulnerability is so brain dead simple that I assumed someone else must have publicly reported it already, but exhaustive searches and asking several colleagues turned up nothing.

Grossman reports that he filed this issue with Apple on June 17th, but received nothing more than the automatically generated response. In the mean time until Apple can issue a fix, you the user, can turn off AutoFill in Safari’s preferences.

Continue reading:

TAGS: